Vulnerability in EPiServer.Forms
A couple of months ago, one of our clients asked us to customize a bit the UI of Catalog, more precisely the Product & Variant edit screens. They requested that for properties having a predefined set of values to replace the OOTB drop down list with a filtering select (drop down list with ability to type & filter values) because there are situation where they have tens or hundreds of possible options.
In order to do this, I've created a custom widget and changed the default string editor descriptor to use my widget for metafield having DataType = MetaDataType.DictionarySingleValue. It was implemented this way because we have hundreds of product types (metaclasses with metafield) but all of them were dynamically generated (no actual c# classes) so the UIHint was not an option for us.
After upgrading to the latest version of CMS & Commerce (previously we were using CMS 10.10 & Commerce 11.2.5), I've discovered that my implementation it's not working anymore and that there is at least one new editor descriptor -DictionarySingleEditorDescriptor- which might interfere with my implementation. Even if my implementation it's still hit when running the code, the DictionarySingleEditorDescriptor it's called after and overrides my widget settings. I was not able to override & register a custom implementation for DictionarySingleEditorDescriptor because it has a UIHint attribute.
Could someone provide some details over how the editor descriptors are registred & called when needed?